The National Information Technology Authority Uganda (NITA-U) has completed its investigations into allegations of unlawful sharing of SafeBoda users’ personal data without their consent by Guinness Transporters Limited Trading as SafeBoda, and issued a report on the same.
The investigations were commenced following a complaint made by Mr. Obedgiu Sammy and it was carried out pursuant to the powers upon NITA in section 32 of the Data Protection & Privacy Act of 2019, to investigate complaining alleging either non-compliance with the provisions of the Act or breaches.
This investigation, arguably the first investigation under the provisions of the Data Protection and Privacy Act, 2019 concluded that:
- The SafeBoda’s Privacy Policing & Data Protection Policy version of 2017 and 2019 respectively did not provide information on recipients with whom its users personal data will be shared;
2. SafeBoda’s disclosure of its users’ personal data to CleverTap (a data processor that offered Software as a Service for customer lifestyle management and mobile marketing) contravened the Data Protection and Privacy Act, since the consents’ relied upon for the disclosure were not specific neither were they informed, given that a) The users were not informed of a) the extent of the personal data collected and b) the potential disclosure of their personal data with Clever Tap.
SafeBoda has been directed to address all the areas of non-compliance identified within four months.
